moving towards outdoor emv - conexxus · source: juniper contactless payments report, 2017- 2021...
TRANSCRIPT
Moving Towards Outdoor EMV
August 23, 2018
Agenda• Housekeeping• Presenters• About Conexxus• Presentation• Q & A
HousekeepingThis webinar is being recorded and will be made available in approximately 30 days. • YouTube (youtube.com/conexxusonline)• Website Link (conexxus.org)
Slide Deck • Survey Link – Presentation provided at end
Participants• Ask questions via webinar interface• Please, no vendor specific questions
Email: [email protected] or [email protected]
Presenters Conexxus Host & ModeratorLinda Toth, Director of Standards, [email protected]
SpeakersSimon Siew, Director of Payment Solutions, Dover Fueling [email protected]
Willie Nelson, Payment Marketing Manager, Gilbarco [email protected]
Dan Harrell, Chief Innovation Officer, Invenco Group [email protected]
About Conexxus• We are an independent, non-profit, member driven
technology organization• We set standards…
– Data exchange– Security– Mobile commerce
• We provide vision– Identify emerging tech/trends
• We advocate for our industry– Technology is policy
2018 Conexxus Webinar Schedule*Month/Date Webinar Title Speaker Company
May 24, 2018 QIR in the World of Retail Petroleum Chris BucoloTodd Rosen ControlScan
June 21, 2018 How can we leverage data science to more effectively detect security threats?
Thomas DuncanAshwin Swamy
Omega ATCOmega ATC
July 26, 2018 Roadmap to a Vulnerability Disclosure Program Joe Basirico Security Innovation
August 23, 2018 Moving Toward Outdoor EMV
Linda TothWillie NelsonSimon SiewDan Harrell
ConexxusGilbarco
Dover Invenco
September 20, 2018 Your Systems Are Talking to You! George Sconyers Omega ATC
November 2018 Building a Scalable Security Engineering Team Joe Basirico Security Innovation
7
NACS ShowOctober 7-10, 2018
Las Vegas, NV
Conexxus thanks our 2018 Annual Diamond Sponsors!
Booth 6147
What is EMV? EMV is a set of international standards that defines interoperability of secure transactions across the international payments landscape. EMV transactions introduce dynamic data specific to the card and the transaction, with
the goal of devaluing transaction data in flight and reducing the risk of counterfeit fraud.
EMV has become the world-wide standard and both U.S. neighbors, Canada and Mexico, have EMV mandates effecting U.S. multi-national retailers.
EMV is the stepping stone to the future of payments due to its dynamic data authentication (Contactless, Mobile, QR Code).
In the context of EMV, encryption is only used to protect the PIN. Does not encrypt all of the transaction data
Payment Regulatory Standards – EMV and PCI
A primary goal of EMVCo and the EMV Specifications is to help facilitate global interoperability and compatibility of chip-based payment cards and acceptance devices. This objective extends to new types of payment devices as well, including contactless payment, mobile payment and QR Payment Code.
PCI PTS Regulatory Roadmap
Requirements Version Used During Evaluation At Laboratory
Expiration of Requirements
Approval Expiration Of
Device Models
Version 5.x of PCI PTS POI Security Requirements April 2020 April 2026
Version 4.x of PCI PTS POI Security Requirements Sept 2017 April 2023
Version 3.x of PCI PTS POI Security Requirements April 2014 April 2020
Version 2.x of PCI PED or EPP Security Requirements April 2011 April 2017
Version 1.x of PCI UPT Security Requirements April 2011 April 2017
Version 1.x PCI PED or EPP Security Requirements April 2008 April 2014
EMV Liability Shift DatesU.S. Card Terminal Liability
Prior to October 1:- 2015 POS- 2017 AFD XBorder- 2020 AFD US Dom
Mag stripe only Mag stripe only Issuer
AfterOctober 1, 2015For POS In-store
Mag stripe only Mag stripe only IssuerEMV chip Mag stripe only Acquirer/Retailer
Mag stripe only EMV chip IssuerEMV chip EMV chip Issuer
After October 1, 2017For AFD XBorder
EMV chip Mag stripe only Acquirer/Retailer
AfterOctober 1, 2020For AFD US Domestic
EMV chip EMV chip Issuer
There is no EMV liability shift on contactless or lost/stolen fraud transactions
75150
300
400
520
Today 2018 2019 2020 2021
US Contactless Card Forecast (M) (2 in 5 cards in the US will be Contactless by end of 2021)
Source: Juniper Contactless Payments Report, 2017-2021
Foundation for innovation and enabler for next generation payment experiences including wearables and connected devices
Card brands heavy promotion as a secure, fast transactions and seamless implementation process (certification)
Contactless
Chargebacks from Visa - VFMPStarting July 2017 to October 2020, retailers with domestic AFD fraud may be put into 2 categories:
Standard Program
monthly basis thresholds met or exceeded:o $10K in domestic counterfeit fraud, ando 0.2% domestic counterfeit fraud amount to domestic sales
ratio
Excessive Program – Starting November 17
monthly basis thresholds met or exceeded:o $10K in domestic counterfeit, and o 2.0% domestic counterfeit fraud amount to domestic
sales ratio
Merchant Actions:• Month 1 – notification to acquirer• Month 2 – 4: acquirer works with merchant to
reduce fraud below threshold• Month 5: if fraud not reduced, chargebacks enforced
Merchant Actions:• Month 1 – immediate chargebacks enforced• Must remediate: keep fraud below these levels for 3
consecutive months
If the merchant is unable to reduce its counterfeit fraud levels below program thresholds 12 months after it has entered the program, it may lose Visa acceptance privileges.
New Pump and Retrofit Options
• New pump and OPT warranty
• Must be UL certified for safety• Fits most existing fuel pumps• Less expensive EMV option• New warranty on pay at pump terminal
AFD – PCI and EMV Readiness
Contactless Reader
EMV L1
Hybrid CHIP Reader
EMV L2 & PCI
PCI PTS Devices
EMV L3
EMV L2 kernel for Contact and Contactless
POS or EPS SW
AFD – EMV hardware and software
• Secure Hybrid Card Readers – EMV L1
• Contactless Reader – EMV L1
• EMV Contact & Contactless kernel – EMV L2
• PCI PTS Certified Devices
Complete Terminal
IP Connect
AFD OPT to POS/EPS on TCP/IP
AFD OPT to POS/EPS on TCP/IP
• Run new CAT 5 cables
• Using existing wires - need TCP/IP converter
• TCP/IP Converter – Wired or Wireless
+ +
Device manufacturer Device manufacturer + EPS provider
PCI and EMV Approval Life Cycle
Contactless Reader
EMV L1
Hybrid CHIP Reader
EMV L2 & PCI
PCI PTS Devices
EMV L3
EMV L2 kernel for Contact and Contactless
POS or EPS SW
EMV L1: 4 years
Complete Terminal+ +
EMV L2: 3 years
PCI PTS: 10 yearsPCI PA DSS: 3 years
Steps to Enable EMV – A long process and in phases
AFD EMV ReadyConfigurations
ContactlessEMV?
No Yes
Install ContactlessReader Kits
Purchase/Install EMV Application
TCP/IP Connectivity
Ethernet Converter
EMV Enabled Controller
POS/EPS System
Host Enables EMV EMV Enabled Site
EMVPaymentProcessor
AFD EMV Enabled
18
Hardware Deployed –only Mag Enabled
2nd Trip – EMV Software Installation
Hardware Deployed –only Mag Enabled
Cloud distributed EMV Software Installation
Hardware Deployed –EMV software
installed and turned on
Dual Trip: Hands OnSingle Trip: Cloud
Activated Single Trip: Big Bang
Deployment Models - Experiences
EMV Enabled Site EMV Enabled Site
EMV Enabled Site
• Two service trips• Hands on monitoring• Increases logistical issues
• Single installation trip• Remote monitoring• Synchronization challenge
• Single installation trip• Hands on monitoring• Logistical and
synchronization challenge
Lessons learnedCustomer User Experience
• Card insertion experience
• Authorization speed
• Combinations with loyalty and Chip Card
Network Infrastructure• IP configuration• Connectivity integrity – old wires problem
Training• Employee – Managers and Cashiers• Customers- Start advertising early
TCP/IP Converter
Additional Opportunities with EMV upgradePoint to Point Encryption
Media Assets Tracking / Diagnostics Dispenser Security
• Drive in-store sales• Ad revenue models• Drive brand awareness
• Conexxus Asset Standard• Manage uptime• Better customer experiences
• Enhance security
• Conexxus standard protocol• Reduce PCI scope for store systems
• Website: www.conexxus.org• Email: [email protected]• LinkedIn Profile: Conexxus.org• Follow us on Twitter: @Conexxusonline